Archive | February, 2010

GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.

GreenSQL Architecture

GreenSQL works as a reverse proxy for MySQL connections. This means, that instead of connecting TO THE MySQL server, your applications will connect to THE GreenSQL server. GreenSQL will analyze SQL queries and then, if they’re safe, will forward them to the back-end MySQL server.

New Changes

In this version, GreenSQL provides native support for PostgreSQL (http://www.postgresql.org) databases for the very first time. In fact, GreenSQL is the only database firewall (Open or Closed Source) available for the protection of the many PostgreSQL databases currently in use.

GreenSQL 1.2 merges the GreenSQL-Console package into the GreenSQL-FW. The GreenSQL-Console will no longer be released as a separated package. During the installation process, you will be able to choose whether or not to install the console.

March 29, 2020 - 453 Shares

There’s been a LOT of news lately about attacks from China, Chinese hackers and sites from China propagating malware.

The latest news is that China police have managed to shut down a hacker training operating that was schooling the next generation of Chinese script kiddies.

It seems like China is grooming a huge cyberarmy both in the private section (mostly underground) and in the government sector for cyber-terrorism.

Police in central China have shut down a hacker training operation that openly recruited thousands of members online and provided them with cyberattack lessons and malicious software, state media said Monday. The crackdown comes amid growing concern that China is a center for Internet crime and industrial espionage. Search giant Google said last month its e-mail accounts were hacked from China in an assault that also hit at least 20 other companies.

Police in Hubei province arrested three people suspected of running the hacker site known as the Black Hawk Safety Net that disseminated Web site hacking techniques and Trojan software, the China Daily newspaper said. Trojans, which can allow outside access to a computer when implanted, are used by hackers to illegally control computers. The report did not say exactly when the arrests took place.

Black Hawk Safety Net recruited more than 12,000 paying subscribers and collected more than 7 million yuan ($1 million) in membership fees, while another 170,000 people had signed up for free membership, the paper said.

With over 12,000 paying members they must have been raking in quite a tidy sum in membership fees. Estimated at $1million USD if you take into consideration the economy that’s a lot of money if there’s only 3 guys running the site.

It seems like the group has been around for quite a while, it’s rare to see a fairly underground hacking scene become so commercial.

I’m surprised it took 3 years to get shut-down, but then China has had it’s fair share of more serious problems to deal with.

The case can be traced to a hacking attack in 2007 on an Internet cafe in Macheng city in Hubei that caused Web services for dozens to be disrupted for more than 60 hours, the paper said. A few of the suspects caught in April said they were members of the Black Hawk Safety Net.

Black Hawk’s Web site 3800hk.com could not be accessed, but a notice purportedly from Black Hawk circulating on online forums said that a backup site had been set up. The notice also sought to reassure members of its continued operations and said its reputation was being smeared by some Internet users.

“At this time, there are Internet users with evil intentions who have deliberately destroyed Black Hawk’s reputation, deceived our members and stole material,” the notice addressed to members said. “We must join forces and attack these Web sites.”

A customer service officer contacted by phone, who refused to give his name, said the backup site provides content for its paying members to download course material to allow them to continue their computer lessons — though not in hacking. The Hubei government refused to comment Monday while officials at the provincial public security bureau did not respond to repeated requests for comment.

The site involved seems to be down still but rumors on related forums are that a backup site is already up, I’m sure it’s being kept private though and I suspect only the paying members will be notified of the new URL.

After this bust they’d be foolish not to be a little more cautious.

It’ll be interesting to see if any more news pops up about this Black Hawk Safety Net organization and if so what they are up to.

March 29, 2020 - 453 Shares

As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers.

Typical web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the web that are vulnerable.

SecuBat is a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities.

Software Requirements

Windows 2000, XP, 2003 or higher

.NET Framework 2.0 or higher

MS SQL Server 2000, 2005, Express, MSDE or higher

Known Issues

If you schedule a crawling run, you have to restart SecuBat for manually selecting this crawling run for
an attacking run afterwards if you not choose to do a combined run.

The XSS variants report a not existing vulnerability if the response page contains the injected string within the title tag.

The “Attack Report” window shows only attacks with an analysis value greater than 0 (indicating a vulnerability).

It’s a fairly intricate scam where someone has spent a lot of time effort and exhibited patience in harvesting all of these accounts.

Officials at Twitter linked the resetting of passwords to a malicious Torrent sites and other schemes. According to Twitter, the company began its investigation after noticing a surge in followers for certain accounts during the past five days. Twitter revealed more details about the phishing attacks that caused the company to reset the passwords on some user accounts today.

According to Twitter Director of Trust and Safety Del Harvey, there was a sudden surge in followers for certain accounts during the last five days. For that reason, the company decided to push out a password reset to the accounts, he said. After launching an investigation, Twitter officials linked part of the problem to malicious torrent sites.

“It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own,” Harvey blogged. “However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up.”

The main crux of the story is, if you’ve signed up for any 3rd party private torrent trackers or forums, you’d better go and change your e-mail address and password there. Especially if you were stupid enough to use the same password you use for other sites (such as Twitter).

The trend seems to be continuing with people using the same username, e-mail and password (or at least a variation of the same password) across multiple sites.

I’m pretty sure however, everyone reading this site doesn’t do that as we are fully aware of the danger involved.

“Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information,” he continued. “This information was then used to attempt to gain access to third party sites like Twitter.”

Harvey stated that Twitter has not identified all of the torrent forums involved, but urged anyone who has signed up for one built by a third party to change their password there.

“The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites,” he blogged. “Through our discussions with affected users, we’ve discovered a high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts.”

Not all of the accounts affected were linked to Torrent sites, Harvey added. Earlier today, a Twitter spokesperson told eWEEK that some users had signed up for “get followers fast schemes.”

I see a LOT of people on Twitter falling for these “Get followers fast” or “Get 1000 followers NOW” schemes which require them to give their login credentials to 3rd party sites.

Of course after that the sites use their account to send spam DMs or tweets and often end up in the user account getting locked for spamming.

For those that may not know, Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

March 29, 2020 - 453 Shares

This is a pretty interesting development from Google and also seems to be coming much more common now, companies openly offering payments for bugs/vulnerabilities discovered in their software.

It’s a chance for the white-hat guys to earn a few bucks, but honestly I don’t think it’s going to change anything. Especially not when we’re talking $500 per vulnerability.

A serious browser 0-day exploit that can allow execution of malware will go for 100 times that much on the black market so there’s no real incentive for the bad guys to give up their code for $500.

Google yesterday announced a bug-bounty program that will pay researchers $500 for each vulnerability they report in the Chrome browser and its underlying open-source code.

In a post to the Chromium project’s blog , Chris Evans, who works on the Chrome security team, said the base bounty would be $500, but that “particularly severe or particularly clever” bugs would reap rewards of $1,337 each.

The latter amount is a reference to “leet,” a kind of geek-speak used by some researchers; there, “leet” is rendered as “1337.”

New vulnerabilities in Chrome, Chromium — the open-source project that Google uses to craft Chrome — and plug-ins that ship with Chrome, such as Google Gears, are eligible for bounties, said Evans. Bugs that are ranked “high” or “critical” in Chrome’s rating system get preference, he added, but others may be considered.

Even for the particularly severe or clever bugs they can award up to $1,337, that’s still peanuts compared to what they can sell the exploit for on the open market – or even to companies like TippingPoint ZDI who claim to pay 10 times more (which would be more reasonable, $5000 for a working exploit).

I hope it helps though and gives some legitimate security researches a little more incentive to focus on Chrome, the bad guys won’t pay much attention though as Chrome is still a relatively small player in the browser world.

“We are hoping that … this program will encourage new individuals to participate in Chromium security,” said Evans. “The more people involved in scrutinizing Chromium’s code and behavior, the more secure our millions of users will be.”

“Internet Explorer, Safari, Firefox…those browsers have been out there for a long time,” said Pedram Amini, manager of the security research team at 3com’s Austin, Tex.-based TippingPoint, which operates Zero Day Initiative (ZDI), one of the two best-known bug-bounty programs. “But Chrome, and now Chrome OS, need researchers. Google needs people to put eyes on the target.”

Google’s new bounty program isn’t the first from a software vendor looking for help rooting out vulnerabilities in its own code, but it’s the largest company to step forward, Amini said. Microsoft , for example, has traditionally dismissed any calls that it pay for vulnerabilities. “This will be beneficial to Google,” Amini added. “There are actually very few vendors who play in the bounty market, but Google doing it is definitely interesting.”

I don’t realistically expect any groundbreaking bugs to come out of this initiative, but I think a few people might bust out their browser fuzzing tools and see what they can find.

Worth a bit of effort if you can find 10 decent bugs in a couple of hours and net yourself $5000usd.